Hi,
the Windows certificates MMC plugin allows to view and edit the most (expect the enterprise store) of the certificates Windows uses. But the location of the certificates is not really transparent.
Here is a list where those certificates resides physically.
Certificates located in the Registry
| Context | Registry Path | Description |
|---|---|---|
| User | HKCU\SOFTWARE\Microsoft\SystemCertificates | Physical store for user specific public keys |
| User | HKCU\SOFTWARE\Policies\Microsoft\SystemCertificates | Physical store for user specific public keys installed by Active Directory (AD) Group Policy Objects (GPOs) |
| Computer | HKLM\SOFTWARE\Microsoft\SystemCertificates | Physical store for machine wide public keys |
| Computer | HKLM\SOFTWARE\Microsoft\Cryptography\Services | Physical store for keys associated with a specific service |
| Computer | HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates | Physical store for machine wide public keys installed by GPOs |
| Computer | HKLM\SOFTWARE\Microsoft\EnterpriseCertificates | Physical store for machine wide public keys installed by the Enterprise PKI Containers within an AD domain |
Certificates located in the Filesystem
| Context | Filepath | Description |
|---|---|---|
| User | %APPDATA%\Microsoft\SystemCertificates | Physical store for user specific public keys and pointers to private keys |
| User | %APPDATA%\Microsoft\Crypto | Physical store for user specific private key containers |
| Computer | %ProgramData%\Microsoft\Crypto | Physical store for machine wide private key containers |
The certificates can be managed by the Powershell CERT PSDrive provider
User certificates
PS D:\> cd Cert:\CurrentUser\my PS Cert:\CurrentUser\my\> Get-Item *
Computer certificates
PS D:\> cd Cert:\LocalMachine\my PS Cert:\LocalMachine\my\> Get-Item *
The enterprise store is not reachable from powershell.
An example to get all certificates from the enterprise ntauth store
PS D:\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates\* -name blob | %{new-object System.Security.Cryptography.X509Certificates.X509Certificate2($_.Blob,$null)}
Or with certutil
D:\> certutil -store -enterprise ntauth
To get a list of futher powershell command lets
PS D:\> get-command -Module pki
Michael